Critical remote access vulnerability in Windows 10-prior versions

A couple of weeks ago Microsoft released a security patch to fix a remote-code execution vulnerability in its Remote Desktop Protocol (RDP) services; now, IT security audit specialists report that there are still about a million Windows systems vulnerable to exploiting this flaw.

If exploited, the vulnerability could generate serious global consequences; the IT security audit specialists consider that this flaw has a destructive potential as large as the attack campaigns of ransomware WannaCry and NotPetya in 2017.

The vulnerability CVE-2019-0708, known among specialists as “BlueKeep”, affects the versions of Windows 2003, XP, Windows 7, in addition to Windows Server 2008.

As reported, the fault would allow a remote attacker to execute arbitrary code to take over a compromised machine, it’s only required sending specially crafted requests to the Windows Remote Desktop service; user interaction is not necessary. So far no proof-of-concept code is known to exploit this vulnerability, although some experts claim to have developed functional exploits.

According to experts, vulnerability could allow malware to find a way to spread through vulnerable systems in the same way as WannaCry. The company launched the patch to correct the flaw in its May update package. However, according to IT security audit, there are still around 950,000 computers with Windows operating system that have not installed the updates, so they remain vulnerable to the exploitation of BlueKeep.

The specialists from the International Institute of Cyber Security (IICS) consider that this is a serious problem because, for now, launching patches update is the fastest way to fix security vulnerabilities, but it depends on the system administrators for installing updates as soon as possible, otherwise flaws are still exploitable.

If you are not able to install the updates right now, experts recommend:

  • Disable Remote Desktop Services if not used
  • Block port 3389 by implementing a firewall
  • Enable network-level authentication (NLA)